Hello, I'm facing a problem I don't understand and I hope that someone here can help me. I managed to reduce it to a simple pcap (available here: http://dl.free.fr/eheNlphr1) which is only a few KB. If I run:
I get this output:
What I don't understand is that packet 8 seems to have 2 204 responses. If you look carefully at the packets, you will see that: packet 1 is the HTTP request, packet 2 is an HTTP response 204 (the first one), packet 3 is an ack for packet 2, packet 4 is the second HTTP request, etc. I was expecting to have packet 2 dissected as an HTTP response with status 204 but it is not. At this point, I suspect this is linked to the presence of Content-type (which, admittedly is weird for a 204 but not forbidden). If it is the reason, is there any way to change the behavior and have the packet 2 dissected as an HTTP response. Apologies if my terminology around dissection and packets/frames/PDU is not correct. And thanks to any help anyone could provide. Antoine. asked 09 Nov '16, 10:18 antoine-sticky |
One Answer:
To me, the problem is not so much the presence of the Content-Type header in a 204 response as the absence of any actual content in a PDU bearing this header. If I get right what happens, the absence of contents where it is expected due to presence of Content-Type header somehow makes the HTTP dissector return "not enough data" when it is offered frame 2, causing the TCP dissector to continue reassembly and offer the contents of frame 2 to the HTTP dissector once more, concatenated with the contents of frame 5, with the same result (HTTP dissector doesn't find any content even here so it returns "not enough data" again). Only the zero size of the TCP payload which comes in frame 8 somehow makes the HTTP dissector process both the previously received PDUs properly, probably because it analyses them into deeper detail than in the previous passes, and render them as two distinct PDUs in a single reassembled segment. I recommend you to file a bug as the HTTP dissector is clearly able to handle the (weird!) data properly, except that it is "lazy" to do that already during the initial "fast scan" phase. If that may help you continue analysis of a particular scenario, unticking the (ticked by default) HTTP dissector preference answered 09 Nov '16, 13:16 sindy edited 10 Nov '16, 00:42 |
Hello Sindy,
Thanks for your time and response. I followed your reco and posted a bug (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13116).
You seem to imply that this is due to the "fast scan" phase. Is there a way to enable a slower (more in-depth) scan phase that would return the appropriate segments ? My original purpose was to measure http.time and see if a delay in http responses could explain some of the problematic behaviors I'm seeing in my application. Obviously with this bug I cannot get appropriate numbers.
The workaround seems to be working fine. At least it's enough for me to pursue my original analysis.
Thanks for your precious help, I really appreciate it.
A.